Information quotes on Sasser worm written by David Endler, Director of Digital Vaccine, TippingPoint.

Sasser is a new self-executing attack worm which takes advantage of a Microsoft vulnerability in the Local Security Authority Subsystem Service (LSASS), announced recently in Microsoft Advisory MS04-011. Upon infecting a host, the worm copies itself to the Windows system directory, opens a backdoor on TCP port 9996, and starts to randomly scan on TCP Port 445 for other infected hosts. Exploitation of the LSASS vulnerability may cause the vulnerable host to crash or reboot.

1. Sasser exploits a buffer overflow vulnerability in the Local Security Authority Subsystem Service (LSASS) that was reported in Microsoft's April security advisories on April 13th. The vulnerable LSASS.exe process, which handles user logins on Windows systems, runs by default on almost all Windows 2000, XP, and Windows Server 2003 computers. Sasser.A was first discovered in the wild on May 30th, and two other variants surfaced on May 1st and May 2nd respectively. Sasser.A, Sasser.B, and Sasser.C differ only slightly in their payloads.

2. Sasser doesn't require human interaction to spread. Unlike the Slammer worm which was only memory-resident, Sasser copies itself as a file and runs as a process in the background. Infected home users can easily tell if they've been infected simply by looking for the existence of "avserv.exe" or "avserv2.exe."

3. On April 13th, Microsoft announced the LSASS vulnerability in MS04-011. On April 24th, a limited LSASS exploit was publicly released and later on April 27th it was integrated into the Phatbot/Agobot family of worms which also exploit a wide range of other Microsoft vulnerabilities. On April 29th, a fully functional LSASS exploit was publicly released which allowed an attacker to easily exploit a wider range of vulnerable hosts. The Sasser worm variants are based on this second "unversal" exploit, and were first discovered in the wild on April 30th. This is another example of the increasing trend of automated worm exploitation typically following public exploit release by several days.

4. In the same MS04-011 security advisory, Microsoft announced a vulnerability in its SSL library which could allow an attacker to compromise an IIS web server, or many other applications that also rely on SSL support. A functional exploit against IIS 5.0 was released for this vulnerability a week ago. While this vulnerability does not provide as potentially large a target base for exploitation as the LSASS vulnerability, it is likely that this exploit will similarly be integrated into a new Phatbot/Agobot variant or standalone worm soon.

5. It is likely that the number of Sasser infected computers will start to increase late Sunday as computer users around the world start to turn their computers on as Monday morning approaches.

6. One of the latest Netsky virus variants discovered in the wild on May 2, dubbed Netsky.AC by some AV vendors, contains encrypted strings which suggest the Netsky author(s) claim authorship of the Sasser worm:

"Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet...

Here is an part of the sasser sourcecode you named so, lol void TryLsass(char *pszIP){ char arOS[130]; if(detect(pszIP,arOS)==1)"

Email Address

Spotlight

Microsoft Edge, the new browser in Windows 10, represents a significant increase in the security over Internet Explorer. However, there are also new potential threat vectors that arenít present in older versions.

35 percent of employees would sell information on company patents, financial records and customer credit card details if the price was right. This illustrates the growing importance for organizations to deploy data loss prevention strategies.

Sun Tzu's writings have been studied throughout the ages by professional militaries and can used to not only answer the question of whether or not we are in a cyberwar, but how one can fight a cyber-battle.

Infosec consultant Paul Moore came up with a working solution to thwart a type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.